ASA Local CA Depreciated: Use Windows CA
KB ID 0001616 Problem I got an email about this last night, I rarely ever use the ASA as a Local CA, But that has now been completely depreciated, (post version 9.12(x)) The documentation tells us; Local CA server is deprecated in 9.12(1), and will be removed in a later release—When ASA is configured as local CA server, it is enabled to issue digital certificates, publish Certificate Revocation Lists (CRLs), and securely revoke issued...
Bring up a VPN Tunnel From the ASA
KB ID 0001604 Problem A colleague was doing a firewall migration yesterday and I offered to sit in, in case he had any problems, one of the tasks was a VPN tunnel getting migrated, this is usually painless, (if you have control of both ends!) But in this case we didn’t, and it’s usually the case, when there’s VPN problems, the people at the {ahem} ‘less experienced,’ end of the tunnel tend to blame the...
Cisco ASA Site to Site IKEv2 VPN Static to Dynamic
KB ID 0001602 Problem Site to Site VPNs are easy enough, define some interesting traffic, tie that to a crypto map, that decides where to send the traffic, create some phase 1 and phase 2 policies, wrap the whole lot up in a tunnel-group, and you’re done! But there needs to be a ‘peer address’ in the crypto map, and if one end of the VPN is on DHCP that address is likely to change, so you cant supply that? The...
Adding New Networks to Cisco AnyConnect VPNs
KB ID 0001593 Problem Note: To add new subnets to a traditional Site to Site VPN, see the following article instead; Cisco ASA – Adding New Networks to Existing VPNs I see this get asked in online forums A LOT. If you have an existing AnyConnect VPN setup, and then need to add another network how do you do it? Well that depends on where the new network is, and how it’s entering the firewall, these diagrams can be either way...
macOS – SSH Error ‘No Matching Exchange Method Found’
KB ID 0001245 Problem I thought my RoyalTSX had broken today, I upgraded it a couple of weeks ago, and I upgraded to macOS Catalina 10.15 the other day. After this, all my SSH sessions refused to connect with this error; Unable to negotiate with x.x.x.x port 22: no matching key exchange found. Their offer diffie-hellman-group1-sha1 Note: You may also see the following error; Unable to negotiate with x.x.x.x port 22: no matching...
Cisco ASA: NAT 2 Public IPs to 1 Private IP
KB ID 0001582 Problem I got asked today if this could be done. My first response was ‘why?’ I cant really think of a use case for this. But a client had this on their previous firewall and were migrating to a virtual ASA, and wanted the config replicating. So I built something like this; Solution To be fair, my first thought was ‘why not simply add an additional internal IP to the web server, and NAT the second...